From supply chain cyber attacks to ransomware, there is plenty of risk facing modern digital businesses. Cyber insurance can help mitigate that risk, but the complexity of cybersecurity insurance requirements can often create a catch-22 for businesses.
While cyber insurance can reduce liability and financial exposure, it’s also getting more complex and expensive to meet cyber insurance requirements. For example, the 2023 State of Cyber Insurance report from Delinea found that the time and effort involved in obtaining cyber insurance is significantly increasing and 67% of respondents indicated their rates have increased anywhere from 50% to 100%. Additionally, exclusions and policy requirements can lead to claims being denied even if an organization obtains the right coverage.
Effectively leveraging cyber insurance to transfer business risk requires finding a policy that works for your context and ensuring you have the security controls and IT visibility to support a claim if the time comes. Of course, that’s easier said than done.
In this article, I’ll take a deep dive into the world of cyber insurance, gotchas to look out for, and how IT visibility can help you meet strict insurance requirements.
What is cyber insurance?
Cyber insurance, or cybersecurity insurance, is a type of insurance policy that provides coverage for cybersecurity incidents. The specific items a policy covers vary from plan to plan, but typical examples of covered events include:
- Data breaches
- Attacks against an organization’s network
- Attacks that compromise an organization’s data held by third parties
In addition to what type of cybersecurity incidents a policy covers, organizations should consider what the provider will cover in the event of a claim. Covering the cost of lost data is just one part of the potential overall costs. For example, does the policy have a “duty to defend” that provides representation for lawsuits or regulatory claims? What about fines stemming from a cybersecurity incident or lost income?
Understanding exactly what you’re getting from a policy can help you find the right cybersecurity insurance for your business context. For small businesses, the Federal Trade Commission (FTC) provides a useful checklist of options to consider.
Understanding first-party vs. third-party cyber coverage
At a high level, there are two different types of cybersecurity insurance coverage: first-party cyber insurance and third-party cyber insurance.
First-party coverage covers an organization’s systems and data. For example, a first-party policy might cover costs related to recovering compromised data, lost income, and legal council after an organization experiences a data breach and files a claim.
Third-party cyber insurance, also known as cyber liability insurance, covers claims made by a third party against an organization. For example, a cyber liability insurance policy might cover payments an organization makes to its end users as the result of a breach, litigation costs, and accounting costs.
10 cyber insurance requirements in 2023
Just like many other insurance packages, cyber insurance policies typically include requirements an organization must meet to receive coverage. Failure to meet cybersecurity insurance requirements can lead to an organization paying higher premiums, being unable to get an application approved, or having their claim rejected when they need it most.
The process to obtain cyber insurance typically starts with an application. As an example, Travelers’ Cyber Risk application includes sections on:
- Data Inventory
- Privacy Controls
- Network Security Controls
- Payment Card Controls
- Content Liability Controls
- Business Continuity / Disaster Recovery / Incident Response
- Vendor Controls
Of course, specific requirements will vary depending on the policy and provider, but several requirements are typical across the industry.
Let’s take a look at 10 common cybersecurity requirements in 2023.
1. Identity and access management (IAM)
Cybersecurity insurance requirements often require strong security controls for IAM in an environment. For example, multi-factor authentication (MFA) for privileged user accounts is a typical requirement. Similarly, enforcing the principle of least privilege using role-based access control (RBAC) or similar framework may be required.
2. Network security controls
The network is a large attack surface, and network security is a key component of overall security posture. So, it’s no surprise that cybersecurity insurance applications often include questions about network security. For example, an application may include questions about using network security appliances like firewalls and IPS/IDS (intrusion prevention system/intrusion detection system) or how remote access to networks is granted (e.g. using VPN).
3. Endpoint protection
Antivirus or endpoint detection and response (EDR) tooling may be required for end-user PCs and servers. These solutions can reduce the risk of endpoint compromise and contain a breach before it does meaningful damage.
4. Security awareness training
For many threats, particularly social engineering attacks like phishing, humans are the weakest link in the chain. In fact, a study by Stanford University Professor Jeff Hancock and Tessian found that human error causes 88% of data breaches. Clearly, addressing the human side of cybersecurity can have a significant impact on overall security posture.
Security awareness training (SAT) helps keep employees informed on security best practices and reduces the risk of individuals performing insecure actions or falling victim to a social engineering attack.
5. Disaster recovery
A sound backup and disaster recovery strategy is an essential component of business continuity and resilience. It can also make a world of difference if an organization has to recover from a breach. Cybersecurity insurance policies may require or incentivize organizations to have backups and a recovery strategy.
6. Incident response plans
An incident response plan provides organizations with a playbook for cybersecurity issues and can help mitigate negative impacts. A well-defined plan should cover all aspects of the incident response lifecycle. If you’re unsure where to start, the four steps (preparation, detection and analysis, containment eradication and recovery, and post-incident activity) in NIST SP 800-61 provide a useful framework.
7. Vulnerability assessments
Vulnerability assessments and penetration tests help organizations identify and address security issues in their infrastructure and processes. Security is a constant game of cat and mouse, and what’s secure today might become tomorrow’s day-zero vulnerability. That’s why regular vulnerability assessment is good security practice and a common cybersecurity insurance requirement.
8. Patch management
Regularly applying security patches and updates is one of the biggest “bang for your buck” practices an organization can follow. While you can’t preempt every possible security incident, you can apply patches that address known issues.
9. Regulatory compliance
Regulations like HIPAA, PCI DSS, and GDPR come with the risk of fines and penalties for non-compliance. Cybersecurity insurance applications will often include questions around an organization’s compliance requirements and compliance status. If you’re not currently compliant with a relevant regulation, the policy provider may request information about steps you are taking to achieve compliance.
10. Data classification and protection
Different categories of data carry different levels of risk. For example, cardholder data (CHD) and personally identifiable information (PII) typically require stricter security controls than information in the public domain. Classifying and protecting data based on its sensitivity helps organizations quantify and manage risk.
5 common causes for cybersecurity insurance application rejections
With an understanding of what cybersecurity applications require, we can start to understand why an application might be rejected. While the specifics of any individual application will vary, five of the most common cybersecurity insurance requirements organizations fail to meet during the application process are:
- Inadequate security controls. This one is simple. Organization’s existing security practices and infrastructure may not meet a provider’s cybersecurity insurance requirements.
- Failure to demonstrate security controls. In some cases, organizations have adequate controls in place, but can’t sufficiently demonstrate they meet cybersecurity requirements. Often, this is a sign of poor network visibility and documentation. It goes back to what we’re always saying here at Auvik: you can’t secure what you can’t see.
- Lack of cybersecurity training. With the human element of cybersecurity being so important, providers are placing an emphasis on educating employees on security best practices.
- Previous data breaches. If an organization has fallen victim to a data breach in the past, providers may view them as riskier and deny coverage or charge higher premiums.
- Operating in a high risk or ineligible industry. In some cases, insurance providers opt not to cover businesses operating in certain industries. Using the previous Travelers example, companies involved in paramilitary operations, adult entertainment, and marijuana would not be considered for coverage.
4 common causes for cybersecurity claim rejections
According to the Cyber Management Alliance, it’s estimated that 27% of cyber insurance claims were denied or only partially paid due to exclusions in coverage.
Here is a look at common reasons cybersecurity claims are rejected.
- Misrepresenting security controls. If a provider determines you did not have required or stated security controls in place at the time of a breach, your claim may be denied.Case-in-point: Travelers Property Casualty Company of America v. International Control Services, Inc details a case where the cyber insurance provider denied a claim because MFA was not used to protect certain digital assets.
- Incorrect application information. Similar to misrepresentation of security controls, if the assets in question are not properly identified or a claim falls outside of what was represented in an application and resulting policy, a claim may be denied.
⚠️This is where lack of network visibility can really hurt the process. If you don’t know about a condition or asset, you can’t correct it. ⚠️
- Late or improper notification. Like any other insurance product, organizations must file claims properly and in a timely fashion.
- Excluded events. It’s important for organizations to understand what is and isn’t covered under a cyber insurance policy. For example, if a loss can be attributed to an act of war carried out by a state-level actor, it may not be covered.
How Auvik helps organizations meet cyber insurance requirements
[pull quote] “Complete visibility into the network and all its connected devices provides considerable security advantages. After all, you can’t secure what you can’t see.”
Auvik can help organizations meet cybersecurity insurance requirements by improving their overall visibility and governance. From an implementation perspective, the Auvik SaaS Management platform (ASM) helps with application and account assets and the Auvik Network Management (ANM) platform provides a physical asset inventory.
Let’s take a closer look at how each solution can directly improve overall security posture and streamline cyber insurance applications and claims.
Auvik SaaS Management (ASM)
In addition to enabling tight SaaS spend management controls and reducing shadow IT-related risk, ASM provides a detailed inventory of user accounts, applications, and access logs associated with SaaS applications throughout an organization.
From the perspective of cybersecurity insurance requirements, having a SaaS management platform helps organizations solve several key problems:
- Creation of a complete SaaS asset inventory
- Visibility into the use of multifactor authentication (MFA) and single sign-on (SSO) throughout an organization
- Detailed access and security logs for SaaS applications
Auvik Network Management (ANM)
ANM provides visibility into the network-side of cybersecurity and can streamline the process of answering these questions:
- What hardware assets do I have?
- Are they up to date or do I need to deploy a patch?
- How are systems behaving?
For example, in addition to creating detailed network maps that dynamically represent the connections between devices, ANM’s TrafficInsights leverages flow protocols to identify what applications are in use, where traffic is going when it leaves the network, and drill down into flow data for detailed traffic analysis.
One of the interesting results of cybersecurity insurance requirements is that they have further incentivized good security practices. If an organization wants to obtain cyber insurance, they often need to do things like enforcing MFA or conducting security training that they should be doing anyway.
The same holds for increased network and SaaS visibility. Even if you’re not in the market for cyber insurance, ensuring you have this level of visibility can reduce risk, improve security posture, and enable better governance over IT assets.
From that perspective, increased network visibility reduces the likelihood of a breach and can reduce the challenges associated with obtaining cyber insurance in a world where providers want to offset their own risk.